Why Federal Agencies Should Consider Commercially Available Governance, Risk, and Compliance Solutions
In federal agencies and beyond, the risk landscape is shifting. With new regulations, looming mandates, evolving technology, changing operations, and other emerging challenges, organizations are navigating significantly more complexity. As systems become more complex, risks increase. The US Office of Management and Budget (OMB) Circulars A-123 and A-11 underscore the urgency for agencies to implement enterprise risk management (ERM) programs. The need for an advanced approach to risk management is greater than ever.
As the risk environment evolves, the tools agencies use to monitor and evaluate risks must also evolve. All too often, however, the custom government-developed tools federal agencies use have not kept pace with the changing world. While government off-the-shelf (GOTS) governance, risk, and compliance (GRC) tools provide agencies the opportunity to design new solutions without having to reengineer their business processes, the time to develop and deploy those solutions and subsequent enhancements of functionality remains lengthy. Continuing to invest in existing GOTS GRC tools also presents a likelihood of solution defects, which often require lengthy troubleshooting. Meanwhile, agencies must rely on a cadre of developers to make functionality changes and operate and maintain GOTS GRC tools, which can be costly. For agencies with simple risk profiles and needs, this may not present a barrier to success. Others may rightly suspect there’s a better solution.
The traditional view of risk management is focused largely on compliance. That’s no longer sufficient. Today, ERM is defined as “the culture, capabilities, and practices, integrated with strategy-setting and its performance, that organizations rely on to manage risk in creating, preserving, and realizing value.”2 Utilizing a commercial off-the-shelf (COTS) GRC platform best suited to an agency’s needs and risk profile is key to maximizing the capabilities driving ERM. The return on investment for COTS GRC solutions should also be considered by agencies, as these tools offer a suite of modules that may be used to support other programs besides ERM. As the risk environment evolves, the tools agencies use to monitor and evaluate risks must also evolve.
GOTS GRC Pain Points
Many federal agencies are currently leveraging a legacy GOTS GRC tool. However, these GOTS tools typically can support only one or two use cases, and correlating data between them is challenging, as is segregating data and user access by organizational unit and providing advanced reporting. Also, many GOTS GRC tools have complex user interfaces, and functionality limitations often leave users having to export and manipulate data and route it through the organization via email to support reviews and/or reporting.
Lack of Insight Across Multiple GRC Programs
A large agency of the federal government has experienced challenges with its internal control program not identifying IT control deficiencies within the Risk Management Framework (RMF) program used for its financial management systems. A recent study on RMF IT controls assessed 503 IT controls within financial management systems across the agency. In 63% of those controls tested, internal security control assessors found the controls to be compliant, but external auditors found them deficient. The implication is clear and troubling: Authorizing officials may not have an accurate risk picture when they accredit systems and connect them to the agency network.
COTS GRC Tool Advantages
In today’s environment, some of the inconvenient pain points associated with GOTS-based GRC tools have become barriers to success. Agencies struggling with these barriers may want to consider COTS GRC solutions. Each of the many available COTS GRC tools has its own unique features, and these platforms offer some shared advantages:
The right COTS GRC tool for an agency will depend on the needs of the agency and the environment in which it operates. Forrester has rated Workiva, OneTrust, and ServiceNow as market leaders in an assessment of 15 commercially available GRC platforms. Diligent and MetricStream ranked close behind—top among their category of “strong performers.”
An agency’s IRM implementation strategy can be a determining factor in its selection of a COTS GRC platform. According to a Gartner analysis,4 an agency that has relatively siloed needs, such as having a single compliance mandate with low-risk maturity, might be best suited to tools such as Aravo or CLDigital. For agencies with a more complex risk profile, moderate risk maturity, and multiple programs, Gartner recommends platforms like LogicManager and OneTrust. Highly regulated agencies with highly complex risk profiles and high-risk maturity might be best served by options such as Diligent and ServiceNow, according to the analysis.
Given the unique needs and risk profiles of each agency, executives should have a deep understanding of their organization’s risk management requirements before determining which COTS GRC platform could provide the most value.
How Guidehouse Can Help
Guidehouse approaches ERM with the view that risk is a critical element in agencies’ ability to achieve their mission and strategic priorities. ERM is, therefore, an integral part of strategy development, execution, and performance management. Guidehouse employs two primary authors of the 2017 COSO ERM Framework, the most widely adopted ERM framework among respondents to the 2021 Federal Enterprise Risk Management Survey. Leveraging the appropriate COTS GRC platform should not be a back-office compliance program but a mission-critical decision.
A decision of such importance should rely on risk management experts who also understand the holistic needs and environment of a government agency. Guidehouse has been helping federal agencies design, develop, and grow ERM programs for more than a decade. Our organization is a leader in public sector consultation and our staff has extensive federal government experience. Guidehouse understands the unique risks involved in federal government processes because many of our consultants have worked within and for federal agencies.
Guidehouse COTS GRC Capabilities Include:
Retooling for the Future
As a leader in ERM and COTS GRC tools, Guidehouse offers specialized expertise to federal agencies to implement or improve ERM programs and implement COTS GRC tools.
As federal agencies work to evolve their risk management practices and tools to meet the changing risk environment, they should consider whether their existing GRC platform offers the functionality to keep pace with their business needs. Continuing to invest in existing GOTS tools may be sufficient for some agencies. The more complex the agency, however, the higher the potential for better outcomes with a COTS tool. To determine the best path, agencies should invest in a thorough evaluation of their risk management needs and the available COTS GRC tools. With the right solution, agencies can maximize their ERM capabilities and be prepared for a changing world.
Guidehouse COTS GRC Success Stories
Some examples of our projects assisting federal agencies with GRC tools include the following: